Preventing the Other Kind of Hack Back

There has been endless discussion among security professionals about the ethics, propriety, legality, and effectiveness of corporations “hacking back” against attackers. On the other hand, there is no hesitation on the part of attackers to hack back against threat intelligence researchers who are investigating them. Identification and retaliation are a constant risk for anyone probing the darkest back alleys of the internet.

There are two paths criminals use to attack investigators: they can try to compromise the investigator’s computer directly, or they can identify and attack the organization behind the investigation. Many techniques can protect against both paths.

What’s at Risk

Attacks on the organization are the more potentially damaging risk. By properly hiding your identity during your investigations, the target will not know who to attack. Attacks on your organization can manifest in many ways, including DDOS, phishing, and hacking. In some cases, the counter-attack can be against the investigating organization’s reputation. I worked with a toy company that discovered that some of its products were appearing in adult videos. In the course of their unprotected research, they were identified. The adult video website then publicized the fact that the toy company personnel were frequent visitors to the website, causing the company significant embarrassment.

Covering Your Tracks

As the Russian DNC hackers showed, it is not easy to maintain your anonymity. The first step is to ensure that your visible IP address is not associated with your organization. That means not only that it should not be a company IP, but that it can’t be a coffee shop in the building or any other address which could easily be connected with the organization. Because many protocols can leak identifying information, take care to ensure that all communications from your desktop go out through your chosen IP.

It is critical to hide your identity from the very beginning, and each and every time after. The Russian hackers only forgot to turn on their VPN once, exposing their real IP address. From that one mistake, all of their activities could be attributed back to the GRU.

Hiding your Fingerprint

After hiding your IP, you need to take care of all the other ways an attacker can identify your computer. Your browser fingerprint, cookies, and super cookies can all quickly expose your organization. Conducting all of your investigations inside a clean virtual machine, used only for this purpose, can be very effective at protecting your identity. Even seemingly innocuous activities can expose you. Any personal browsing, searching, or social media use within the virtual machine can leak identifying information to a savvy opponent.

Carefully isolating the virtual machine from your real desktop can go a long way toward preventing damage from any direct counter-attacks while investigating. Any malware they sneak past your scanners will be destroyed when the virtual machine is rolled back. Restricting all network traffic to only flow over a VPN to your chosen exit point ensures that malware can’t scan your local network for vulnerable targets or identifying device names.

Actively investigating and infiltrating criminal groups online is not “hacking back,” but it may provoke that as a response. Taking proper care during your online activities can ensure that you get the information you need without putting yourself at risk.

Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.